Security DJ

Yubico, the company behind the security authentication device Yubikey, have been implementing some major changes that have increased security. Many of the vulnerabilities that was pointed out earlier this year on Security.dj are now fixed, the main one being dropping the automatic navigation feature in the firmware. I met with CEO Stina Ehrensvärd a few weeks ago, and she offered that Yubico could write a short answer to the issues pointed out earlier, and how they have addressed them. I am certain that Yubico will still find room for further improvement for security as they continue their work for even higher quality and security.

Here are the issues mentioned in an earlier post here at Security.dj and Yubicos’ answers to these:

Yubikey is not a read-only device. Its internal configuration is unprotected.
The configuration can be protected by an optional 48-bit password. A large percentage of the customers who order a small number of Yubikeys are experimenting and rewriting the configuration. If all keys were programmed with a configuration password, this would make experimenting more difficult and potentially lead to customers killing their keys if the configuration was lost. Bottom line is that this setting is intentional and the users who want to have its configuration protected can easily enable this option. Customers who order a larger number of Yubikeys can optionally have the configuration password set according to their specific needs, i.e. randomized, linear, from file, a single fixed value etc. It is worth mentioning that deploying unprotected Yubikeys does not affect the security per se, as configuration data is write-only, i.e. it cannot in any way be read back from the Yubikey. The risk is rather that the Yubikey is open for sabotage, i.e. the valid / legitimate configuration is overwritten or deleted.

Yubikey can create and send passcodes over the Internet without you pressing the key.

The YubiKey 1 included an option to generate the one time pass-codes by a double click on the caps-lock or num-lock buttons on the main keyboard. It seems however as this feature is not used and the function has been removed in Yubikey 2. It is however important to understand that even for Yubikey 1, this feature needs to be explicitly enabled. Users who don’t like the function shall therefore leave it disabled.

Yubikey-generated one time passcodes are valid regardless of time.

Only partly true as the pass-codes also comprise a timer component that can be used to detect the time delta between two codes generated. Furthermore, as all old pass-codes get invalidated each time a new one is generated and authenticated, codes do have a practical limited lifetime in most settings. We recommend users who are concerned of a potential “store-and-forward” attack to design their service in such a way that the user generates at least two pass-codes during a critical session. A good parallel is Internet banks where the user can log on and make simple transactions just by using a username and password. If, for example funds are to be moved to a foreign account, the user will have to log on using a token. When the fund is then later to be committed, the token must be used again. A similar scheme would be perfectly usable for the Yubikey as well. The functionality for detection time delta will be fully implemented in the Yubico hosted  validation server during Q4 2009.

Yubikey can be used to download and execute malicious code on computers

The “automatic navigation” feature was implemented for pure convenience. As the function does not work reliably for all platforms and has some potential security aspects as indicated, this function has been completely removed from firmware 1.3.6. It is worth re-stating that there is no memory storage on the Yubikey like with an USB memory stick. This means that Trojans / malicious code cannot be stored or injected into the Yubikey.

A Yubikey lost means the passcode revealed, since it has no lock.

In the default One Time Passcode mode, a lost YubiKey can be disabled on the validation server. In the “static pass-code mode” is an optional feature that a fair amount of users appreciate as it works right away with legacy systems. As this is a static code it certainly has its weaknesses and shall therefore only be used when the user is fully aware of these limitations.

The Yubikey validation service is not backed by the vendor – it is offered as “best effort”.
The Yubico validation server is a free service that was initially designed as a “proof of concept” only. As more and more users have asked for a more reliable and secure server, Yubico has completely re-designed the architecture and key lifecycle management procedures. The server has furthermore been moved to a physically more secure server location, used by leading Swedish financial institutions. We recommend  customers who are concerned about security and reliability as a part of their overall service concept to run their in-house validation server.

Attackers have access to the source code and documentation of the validation server.
We strongly believe that the open source approach makes the system in whole more secure as it is open to public scrutiny. There should not be any “by-design weakness” in the setup that would justify keeping anything secret. The “security by obscurity” approach is not considered best practice by the security industry.

Unused features that can be used as attack vectors are left in the firmware.
As stated earlier, the “automatic navigation” and “keyboard trigger” features have been all removed in firmware. All functionality is properly described in “The Yubikey manual” Users must of course be aware what it means to enable specific features from a security- and systems perspective.

This entry was posted on Sunday, August 30th, 2009, 6:30 pm and is filed under Security Reviews. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.